With --leak-test at the final interp->exit_handler_list = NULL; interp is already freed #765

Closed
rurban opened this Issue May 4, 2012 · 3 comments

Projects

None yet

4 participants

Member
rurban commented May 4, 2012

With --leak-test at the final interp->exit_handler_list = NULL; interp is already freed

I see two problems with --leak-test:

  1. invalid write interp->exit_handler_list = NULL;
  2. invalid call Parrot_x_jump_out with freed interp

gdb --args ./parrot --leak-test first.pir

Breakpoint 1, 0x000000000041a8c0 in __asan_report_error ()
(gdb) bt
#0 0x000000000041a8c0 in __asan_report_error ()
#1 0x000000000041ace7 in __asan_report_load8 ()
#2 0x00007ffff6c72539 in Parrot_x_jump_out (interp=, status=)

at src/exit.c:71

#3 0x00007ffff6c72657 in Parrot_x_exit (interp=0x7ffff2f4be80, status=0) at src/exit.c:124
#4 0x00007ffff6c2bbfd in Parrot_api_destroy_interpreter (interp_pmc=)

at src/embed/api.c:320

#5 0x00000000004070e6 in main (argc=, argv=)

at frontend/parrot2/main.c:175

$ ./parrot --leak-test first.pir

first

==15822== ERROR: AddressSanitizer heap-use-after-free on address 0x7f18877aafe8 at pc 0x7f188b4d1539 bp 0x7fff0710fd90 sp 0x7fff0710fd88
READ of size 8 at 0x7f18877aafe8 thread T0
#0 0x7f188b4d1539 (/home/rurban/Perl/parrot/parrot-git/blib/lib/libparrot.so.4.3.0+0x40c539)
#1 0x7f188b4d1657 (/home/rurban/Perl/parrot/parrot-git/blib/lib/libparrot.so.4.3.0+0x40c657)
#2 0x7f188b48abfd (/home/rurban/Perl/parrot/parrot-git/blib/lib/libparrot.so.4.3.0+0x3c5bfd)
#3 0x4070e6 (/home/rurban/Perl/parrot/parrot-git/parrot+0x4070e6)
#4 0x7f1888118ead (/lib/x86_64-linux-gnu/libc-2.13.so+0x1eead)
0x7f18877aafe8 is located 360 bytes inside of 384-byte region [0x7f18877aae80,0x7f18877ab000)
freed by thread T0 here:
previously allocated by thread T0 here:
==15822== ABORTING
Stats: 1M malloced (1M for red zones) by 1561 calls
Stats: 0M realloced by 82 calls
Stats: 0M freed by 474 calls
Stats: 0M really freed by 0 calls
Stats: 44M (11271 full pages) mmaped in 11 calls
mmaps by size class: 8:16383; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:64; 17:32; 18:16;
mallocs by size class: 8:1147; 9:20; 10:17; 11:204; 12:57; 13:109; 14:2; 15:1; 16:1; 17:1; 18:2;
frees by size class: 8:230; 9:10; 10:7; 11:190; 12:30; 13:4; 15:1; 16:1; 17:1;
rfrees by size class:
Stats: malloc large: 3 small slow: 21
Shadow byte and word:
0x1fe310ef55fd: fd
0x1fe310ef55f8: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1fe310ef55d8: fd fd fd fd fd fd fd fd
0x1fe310ef55e0: fd fd fd fd fd fd fd fd
0x1fe310ef55e8: fd fd fd fd fd fd fd fd
0x1fe310ef55f0: fd fd fd fd fd fd fd fd
=>0x1fe310ef55f8: fd fd fd fd fd fd fd fd
0x1fe310ef5600: fa fa fa fa fa fa fa fa
0x1fe310ef5608: fa fa fa fa fa fa fa fa
0x1fe310ef5610: 00 00 00 00 00 00 00 00
0x1fe310ef5618: 00 00 00 00 00 00 00 00

@Whiteknight Whiteknight was assigned May 4, 2012
@Whiteknight Whiteknight added a commit that closed this issue May 5, 2012
@Whiteknight Whiteknight Add a new Parrot_x_execute_on_exit_handlers to call exit handlers. Us…
…e that in the embedding API to fix an error where we were destroying the interp before attempting to call these handlers. This *should* fix #765
0b7ccce
@Whiteknight Whiteknight reopened this May 5, 2012
Member
rurban commented Jun 4, 2012

heap-use-after-free in interp->exit_handler_list = NULL still present, just now in Parrot_x_execute_on_exit_handlers()

$ ./parrot --leak-test first.pir 2>log.first
$ asan_symbolize.py < log.first

==30373== ERROR: AddressSanitizer heap-use-after-free on address 0x7faddba83fa0 at pc 0x7faddfa1088a bp 0x7fffff76d110 sp 0x7fffff76d108
WRITE of size 8 at 0x7faddba83fa0 thread T0
#0 0x7faddfa1088a in Parrot_x_execute_on_exit_handlers /home/rurban/Perl/parrot/build-d-asan/src/exit.c:137
#1 0x7faddf9c8740 in Parrot_api_destroy_interpreter /home/rurban/Perl/parrot/build-d-asan/src/embed/api.c:322
#2 0x407086 in main /home/rurban/Perl/parrot/build-d-asan/frontend/parrot2/main.c:176
#3 0x7faddc3f1ead in __libc_start_main /home/aurel32/eglibc/eglibc-2.13/csu/libc-start.c:260
0x7faddba83fa0 is located 288 bytes inside of 384-byte region [0x7faddba83e80,0x7faddba84000)
freed by thread T0 here:
previously allocated by thread T0 here:
==30373== ABORTING
Stats: 1M malloced (1M for red zones) by 1563 calls
Stats: 0M realloced by 82 calls
Stats: 0M freed by 474 calls
Stats: 0M really freed by 0 calls
Stats: 44M (11271 full pages) mmaped in 11 calls
mmaps by size class: 8:16383; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:64; 17:32; 18:16;
mallocs by size class: 8:1147; 9:20; 10:17; 11:204; 12:57; 13:111; 14:2; 15:1; 16:1; 17:1; 18:2;
frees by size class: 8:230; 9:10; 10:7; 11:190; 12:30; 13:4; 15:1; 16:1; 17:1;
rfrees by size class:
Stats: malloc large: 3 small slow: 21
Shadow byte and word:
0x1ff5bb7507f4: fd
0x1ff5bb7507f0: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1ff5bb7507d0: fd fd fd fd fd fd fd fd
0x1ff5bb7507d8: fd fd fd fd fd fd fd fd
0x1ff5bb7507e0: fd fd fd fd fd fd fd fd
0x1ff5bb7507e8: fd fd fd fd fd fd fd fd
=>0x1ff5bb7507f0: fd fd fd fd fd fd fd fd
0x1ff5bb7507f8: fd fd fd fd fd fd fd fd
0x1ff5bb750800: fa fa fa fa fa fa fa fa
0x1ff5bb750808: fa fa fa fa fa fa fa fa
0x1ff5bb750810: 00 00 00 00 00 00 00 00

I silenced the failing --leak-test with
PARROT_NO_ADDRESS_SAFETY_ANALYSIS
on Parrot_x_execute_on_exit_handlers()

@Benabik Benabik reopened this Jun 4, 2012
Contributor
jkeenan commented Jun 12, 2012

Re-opening due to new test failure in file touched by commits apparently related to this ticket:

$ prove -v t/run/options.t 
t/run/options.t .. 
1..35
ok 1 - Start of help message
# ...
ok 26 - -r option <"./parrot" -D 8 -R slow "/tmp/8VxGioq5Az.pir" 2>&1>
illegal argument in Parrot_interp_info
current instr.: '__show_runtime_prefix_and_exit' pc 701 (frontend/parrot2/prt0.pir:267)
not ok 27 - --runtime-prefix

#   Failed test '--runtime-prefix'
#   at t/run/options.t line 96.
#                   ''
#     doesn't match '(?^:^.+$)'
ok 28 - --gc-dynamic-threshold needs argument warning
# ...
# Looks like you failed 1 test of 35.
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/35 subtests 

Test Summary Report
-------------------
t/run/options.t (Wstat: 256 Tests: 35 Failed: 1)
  Failed test:  27
  Non-zero exit status: 1
Files=1, Tests=35,  0 wallclock secs ( 0.03 usr  0.01 sys +  0.31 cusr  0.17 csys =  0.52 CPU)
Result: FAIL

Can someone investigate? Thanks.

Member
rurban commented Aug 24, 2012

Hopefully fixed with 2162db6
exit via exception fooled the old logic.
Now set and check for interp->final_exception, similar to the already_dying logic in issue #816.

@rurban rurban closed this Aug 24, 2012
@Whiteknight Whiteknight removed their assignment Mar 7, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment